diff --git a/docs/resources/openid_client.md b/docs/resources/openid_client.md index 44d9cbd20..4fac7e2c6 100644 --- a/docs/resources/openid_client.md +++ b/docs/resources/openid_client.md @@ -31,6 +31,11 @@ resource "keycloak_openid_client" "openid_client" { ] login_theme = "keycloak" + + extra_config = { + "key1" = "value1" + "key2" = "value2" + } } ``` @@ -76,8 +81,10 @@ is set to `true`. - `authorization` - (Optional) When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: - `policy_enforcement_mode` - (Required) Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. - `decision_strategy` - (Optional) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. - - `allow_remote_resource_management` - (Optional) When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + - `allow_remote_resource_management` - (Optional) When `true`, resources can be managed remotely by the resource server. Defaults to + `false`. - `keep_defaults` - (Optional) When `true`, defaults set by Keycloak will be respected. Defaults to `false`. +- `extra_config` - (Optional) A map of key/value pairs to add extra configuration attributes to this client. This can be used for custom attributes, or to add configuration attributes that is not yet supported by this Terraform provider. Use this attribute at your own risk, as s may conflict with top-level configuration attributes in future provider updates. ## Attributes Reference diff --git a/example/main.tf b/example/main.tf index f1b9912aa..cf24f4e22 100644 --- a/example/main.tf +++ b/example/main.tf @@ -210,6 +210,10 @@ resource "keycloak_openid_client" "test_client" { pkce_code_challenge_method = "plain" login_theme = "keycloak" + + extra_config = { + customAttribute = "a test custom value" + } } resource "keycloak_openid_client_scope" "test_default_client_scope" { diff --git a/keycloak/openid_client.go b/keycloak/openid_client.go index 6efb1f945..df5a3ea2c 100644 --- a/keycloak/openid_client.go +++ b/keycloak/openid_client.go @@ -1,7 +1,11 @@ package keycloak import ( + "encoding/json" "fmt" + "reflect" + "strconv" + "strings" ) type OpenidClientRole struct { @@ -55,15 +59,16 @@ type OpenidClient struct { } type OpenidClientAttributes struct { - PkceCodeChallengeMethod string `json:"pkce.code.challenge.method"` - ExcludeSessionStateFromAuthResponse KeycloakBoolQuoted `json:"exclude.session.state.from.auth.response"` - AccessTokenLifespan string `json:"access.token.lifespan"` - LoginTheme string `json:"login_theme"` - ClientOfflineSessionIdleTimeout string `json:"client.offline.session.idle.timeout,omitempty"` - ClientOfflineSessionMaxLifespan string `json:"client.offline.session.max.lifespan,omitempty"` - ClientSessionIdleTimeout string `json:"client.session.idle.timeout,omitempty"` - ClientSessionMaxLifespan string `json:"client.session.max.lifespan,omitempty"` - UseRefreshTokens KeycloakBoolQuoted `json:"use.refresh.tokens"` + PkceCodeChallengeMethod string `json:"pkce.code.challenge.method"` + ExcludeSessionStateFromAuthResponse KeycloakBoolQuoted `json:"exclude.session.state.from.auth.response"` + AccessTokenLifespan string `json:"access.token.lifespan"` + LoginTheme string `json:"login_theme"` + ClientOfflineSessionIdleTimeout string `json:"client.offline.session.idle.timeout,omitempty"` + ClientOfflineSessionMaxLifespan string `json:"client.offline.session.max.lifespan,omitempty"` + ClientSessionIdleTimeout string `json:"client.session.idle.timeout,omitempty"` + ClientSessionMaxLifespan string `json:"client.session.max.lifespan,omitempty"` + UseRefreshTokens KeycloakBoolQuoted `json:"use.refresh.tokens"` + ExtraConfig map[string]interface{} `json:"-"` } type OpenidAuthenticationFlowBindingOverrides struct { @@ -344,3 +349,57 @@ func (keycloakClient *KeycloakClient) DetachOpenidClientDefaultScopes(realmId, c func (keycloakClient *KeycloakClient) DetachOpenidClientOptionalScopes(realmId, clientId string, scopeNames []string) error { return keycloakClient.detachOpenidClientScopes(realmId, clientId, "optional", scopeNames) } + +func (f *OpenidClientAttributes) UnmarshalJSON(data []byte) error { + f.ExtraConfig = map[string]interface{}{} + err := json.Unmarshal(data, &f.ExtraConfig) + if err != nil { + return err + } + v := reflect.ValueOf(f).Elem() + for i := 0; i < v.NumField(); i++ { + structField := v.Type().Field(i) + jsonKey := strings.Split(structField.Tag.Get("json"), ",")[0] + if jsonKey != "-" { + value, ok := f.ExtraConfig[jsonKey] + if ok { + field := v.FieldByName(structField.Name) + if field.IsValid() && field.CanSet() { + if field.Kind() == reflect.String { + field.SetString(value.(string)) + } else if field.Kind() == reflect.Bool { + boolVal, err := strconv.ParseBool(value.(string)) + if err == nil { + field.Set(reflect.ValueOf(KeycloakBoolQuoted(boolVal))) + } + } + delete(f.ExtraConfig, jsonKey) + } + } + } + } + return nil +} + +func (f *OpenidClientAttributes) MarshalJSON() ([]byte, error) { + out := map[string]interface{}{} + + for k, v := range f.ExtraConfig { + out[k] = v + } + v := reflect.ValueOf(f).Elem() + for i := 0; i < v.NumField(); i++ { + jsonKey := strings.Split(v.Type().Field(i).Tag.Get("json"), ",")[0] + if jsonKey != "-" { + field := v.Field(i) + if field.IsValid() && field.CanSet() { + if field.Kind() == reflect.String { + out[jsonKey] = field.String() + } else if field.Kind() == reflect.Bool { + out[jsonKey] = KeycloakBoolQuoted(field.Bool()) + } + } + } + } + return json.Marshal(out) +} diff --git a/provider/data_source_keycloak_openid_client.go b/provider/data_source_keycloak_openid_client.go index 80306aa2c..5317cf37c 100644 --- a/provider/data_source_keycloak_openid_client.go +++ b/provider/data_source_keycloak_openid_client.go @@ -172,6 +172,11 @@ func dataSourceKeycloakOpenidClient() *schema.Resource { Optional: true, Default: true, }, + "extra_config": { + Type: schema.TypeMap, + Optional: true, + Computed: true, + }, }, } } diff --git a/provider/data_source_keycloak_openid_client_authorization_policy_test.go b/provider/data_source_keycloak_openid_client_authorization_policy_test.go index a9b17d850..9cd37f09f 100644 --- a/provider/data_source_keycloak_openid_client_authorization_policy_test.go +++ b/provider/data_source_keycloak_openid_client_authorization_policy_test.go @@ -2,10 +2,11 @@ package provider import ( "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "regexp" "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" ) func TestAccKeycloakDataSourceOpenidClientAuthorizationPolicy_basic(t *testing.T) { @@ -53,6 +54,10 @@ resource "keycloak_openid_client" "test" { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data "keycloak_openid_client_authorization_policy" "test" { diff --git a/provider/data_source_keycloak_openid_client_service_account_user_test.go b/provider/data_source_keycloak_openid_client_service_account_user_test.go index d088952af..f9b9b9127 100644 --- a/provider/data_source_keycloak_openid_client_service_account_user_test.go +++ b/provider/data_source_keycloak_openid_client_service_account_user_test.go @@ -2,10 +2,11 @@ package provider import ( "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "regexp" "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" ) func TestAccKeycloakDataSourceOpenidClientServiceAccountUser_basic(t *testing.T) { @@ -53,6 +54,10 @@ resource "keycloak_openid_client" "test" { web_origins = [ "http://localhost" ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data keycloak_openid_client_service_account_user test { diff --git a/provider/data_source_keycloak_openid_client_test.go b/provider/data_source_keycloak_openid_client_test.go index ba1518ce8..b28db189d 100644 --- a/provider/data_source_keycloak_openid_client_test.go +++ b/provider/data_source_keycloak_openid_client_test.go @@ -2,9 +2,10 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "testing" ) func TestAccKeycloakDataSourceOpenidClient_basic(t *testing.T) { @@ -64,6 +65,10 @@ resource "keycloak_openid_client" "test" { "http://localhost" ] full_scope_allowed = false + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data "keycloak_openid_client" "test" { @@ -76,3 +81,53 @@ data "keycloak_openid_client" "test" { } `, testAccRealm.Realm, clientId, clientId) } + +func TestAccKeycloakDataSourceOpenidClient_extraConfig(t *testing.T) { + t.Parallel() + clientId := acctest.RandomWithPrefix("tf-acc-test-extra-config") + dataSourceName := "data.keycloak_openid_client.test-extra-config" + resourceName := "keycloak_openid_client.test-extra-config" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: testAccProviderFactories, + Steps: []resource.TestStep{ + { + Config: testAccKeycloakOpenidClientConfig_extraConfig(clientId), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrPair(dataSourceName, "key1", resourceName, "value1"), + ), + }, + }, + }) +} + +func testAccKeycloakOpenidClientConfig_extraConfig(clientId string) string { + return fmt.Sprintf(` +data "keycloak_realm" "realm" { + realm = "%s" +} + +resource "keycloak_openid_client" "test-extra-config" { + name = "%s" + client_id = "%s" + realm_id = data.keycloak_realm.realm.id + description = "a test openid client with extra_conf" + access_type = "CONFIDENTIAL" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + "key1" = "value1" + } +} + +data "keycloak_openid_client" "test-extra-config" { + realm_id = data.keycloak_realm.realm.id + client_id = keycloak_openid_client.test-extra-config.client_id + + depends_on = [ + keycloak_openid_client.test-extra-config, + ] +} +`, testAccRealm.Realm, clientId, clientId) +} diff --git a/provider/data_source_keycloak_role_test.go b/provider/data_source_keycloak_role_test.go index 4d445a167..c2218b58a 100644 --- a/provider/data_source_keycloak_role_test.go +++ b/provider/data_source_keycloak_role_test.go @@ -2,10 +2,11 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "testing" ) func TestAccKeycloakDataSourceRole_basic(t *testing.T) { @@ -81,6 +82,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "realm_role" { diff --git a/provider/generic_protocol_mapper_validation_test.go b/provider/generic_protocol_mapper_validation_test.go index a3550b77b..720eb9dbb 100644 --- a/provider/generic_protocol_mapper_validation_test.go +++ b/provider/generic_protocol_mapper_validation_test.go @@ -497,6 +497,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { @@ -519,6 +524,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper_client" { @@ -539,6 +549,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper_client" { @@ -561,6 +576,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper_client" { @@ -583,6 +603,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { @@ -611,6 +636,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { @@ -641,6 +671,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper_client" { @@ -671,6 +706,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper_client" { @@ -720,6 +760,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper_validation" { name = "%s" @@ -745,6 +790,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper_client" { name = "%s" diff --git a/provider/resource_keycloak_generic_client_role_mapper_test.go b/provider/resource_keycloak_generic_client_role_mapper_test.go index 78787547c..f2adc49cc 100644 --- a/provider/resource_keycloak_generic_client_role_mapper_test.go +++ b/provider/resource_keycloak_generic_client_role_mapper_test.go @@ -322,6 +322,11 @@ resource "keycloak_openid_client" "parent-client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "parent-role" { @@ -334,6 +339,11 @@ resource "keycloak_openid_client" "child-client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_generic_client_role_mapper" "child-client-with-parent-client-role" { @@ -354,6 +364,11 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "role" { diff --git a/provider/resource_keycloak_group_roles_test.go b/provider/resource_keycloak_group_roles_test.go index 6574163c4..4b16cb7d5 100644 --- a/provider/resource_keycloak_group_roles_test.go +++ b/provider/resource_keycloak_group_roles_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakGroupRoles_basic(t *testing.T) { @@ -414,6 +415,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -472,6 +478,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -529,6 +540,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -577,6 +593,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -650,6 +671,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { diff --git a/provider/resource_keycloak_identity_provider_token_exchange_scope_permission_test.go b/provider/resource_keycloak_identity_provider_token_exchange_scope_permission_test.go index b4daacd5a..553e4a82d 100644 --- a/provider/resource_keycloak_identity_provider_token_exchange_scope_permission_test.go +++ b/provider/resource_keycloak_identity_provider_token_exchange_scope_permission_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakIdpTokenExchangeScopePermission_basic(t *testing.T) { @@ -343,6 +344,10 @@ resource "keycloak_openid_client" "webapp_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_identity_provider_token_exchange_scope_permission" "my_permission" { @@ -381,6 +386,10 @@ resource "keycloak_openid_client" "webapp_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "webapp_client2" { @@ -390,9 +399,13 @@ resource "keycloak_openid_client" "webapp_client2" { client_secret = "secret" access_type = "CONFIDENTIAL" standard_flow_enabled = true - valid_redirect_uris = [ + valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_identity_provider_token_exchange_scope_permission" "my_permission" { @@ -432,6 +445,10 @@ resource "keycloak_openid_client" "webapp_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_identity_provider_token_exchange_scope_permission" "my_permission" { diff --git a/provider/resource_keycloak_openid_audience_protocol_mapper_test.go b/provider/resource_keycloak_openid_audience_protocol_mapper_test.go index 058345d92..c829dc06f 100644 --- a/provider/resource_keycloak_openid_audience_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_audience_protocol_mapper_test.go @@ -309,6 +309,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_audience_protocol_mapper" "audience_mapper_client" { @@ -351,6 +356,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_audience_protocol_mapper" "audience_mapper_client" { @@ -390,6 +400,11 @@ resource "keycloak_openid_client" "openid_client" { standard_flow_enabled = true valid_redirect_uris = ["http://localhost:5555/callback"] + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { @@ -412,6 +427,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -440,6 +460,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { @@ -463,6 +488,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "openid-client" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go index ddee8dd1f..d95425916 100644 --- a/provider/resource_keycloak_openid_client.go +++ b/provider/resource_keycloak_openid_client.go @@ -4,8 +4,11 @@ import ( "context" "errors" "fmt" + "reflect" "strings" + "github.com/hashicorp/go-cty/cty" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" @@ -211,6 +214,37 @@ func resourceKeycloakOpenidClient() *schema.Resource { Optional: true, Default: true, }, + "extra_config": { + Type: schema.TypeMap, + Optional: true, + // you aren't allowed to specify any keys in extra_config that could be defined as top level attributes + ValidateDiagFunc: func(v interface{}, path cty.Path) diag.Diagnostics { + var diags diag.Diagnostics + + extraConfig := v.(map[string]interface{}) + value := reflect.ValueOf(&keycloak.IdentityProviderConfig{}).Elem() + + for i := 0; i < value.NumField(); i++ { + field := value.Field(i) + jsonKey := strings.Split(value.Type().Field(i).Tag.Get("json"), ",")[0] + + if jsonKey != "-" && field.CanSet() { + if _, ok := extraConfig[jsonKey]; ok { + diags = append(diags, diag.Diagnostic{ + Severity: diag.Error, + Summary: "Invalid extra_config key", + Detail: fmt.Sprintf(`extra_config key "%s" is not allowed, as it conflicts with a top-level schema attribute`, jsonKey), + AttributePath: append(path, cty.IndexStep{ + Key: cty.StringVal(jsonKey), + }), + }) + } + } + } + + return diags + }, + }, }, CustomizeDiff: customdiff.ComputedIf("service_account_user_id", func(ctx context.Context, d *schema.ResourceDiff, meta interface{}) bool { return d.HasChange("service_accounts_enabled") @@ -253,6 +287,13 @@ func getOpenidClientFromData(data *schema.ResourceData) (*keycloak.OpenidClient, } } + extraConfig := map[string]interface{}{} + if v, ok := data.GetOk("extra_config"); ok { + for key, value := range v.(map[string]interface{}) { + extraConfig[key] = value + } + } + openidClient := &keycloak.OpenidClient{ Id: data.Id(), ClientId: data.Get("client_id").(string), @@ -276,6 +317,7 @@ func getOpenidClientFromData(data *schema.ResourceData) (*keycloak.OpenidClient, ClientSessionIdleTimeout: data.Get("client_session_idle_timeout").(string), ClientSessionMaxLifespan: data.Get("client_session_max_lifespan").(string), UseRefreshTokens: keycloak.KeycloakBoolQuoted(data.Get("use_refresh_tokens").(bool)), + ExtraConfig: extraConfig, }, ValidRedirectUris: validRedirectUris, WebOrigins: webOrigins, @@ -368,6 +410,7 @@ func setOpenidClientData(keycloakClient *keycloak.KeycloakClient, data *schema.R data.Set("client_offline_session_max_lifespan", client.Attributes.ClientOfflineSessionMaxLifespan) data.Set("client_session_idle_timeout", client.Attributes.ClientSessionIdleTimeout) data.Set("client_session_max_lifespan", client.Attributes.ClientSessionMaxLifespan) + data.Set("extra_config", client.Attributes.ExtraConfig) if client.AuthorizationServicesEnabled { data.Set("resource_server_id", client.Id) diff --git a/provider/resource_keycloak_openid_client_authorization_aggregate_policy_test.go b/provider/resource_keycloak_openid_client_authorization_aggregate_policy_test.go index 621b0c922..4c585fd1a 100644 --- a/provider/resource_keycloak_openid_client_authorization_aggregate_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_aggregate_policy_test.go @@ -91,6 +91,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "test" { diff --git a/provider/resource_keycloak_openid_client_authorization_client_policy_test.go b/provider/resource_keycloak_openid_client_authorization_client_policy_test.go index f87c4145a..8a7f7651f 100644 --- a/provider/resource_keycloak_openid_client_authorization_client_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_client_policy_test.go @@ -93,6 +93,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_client_policy test { diff --git a/provider/resource_keycloak_openid_client_authorization_group_policy_test.go b/provider/resource_keycloak_openid_client_authorization_group_policy_test.go index aee400d6d..078290d25 100644 --- a/provider/resource_keycloak_openid_client_authorization_group_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_group_policy_test.go @@ -92,6 +92,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_group" "test" { diff --git a/provider/resource_keycloak_openid_client_authorization_js_policy_test.go b/provider/resource_keycloak_openid_client_authorization_js_policy_test.go index a8cea3218..35ad4280b 100644 --- a/provider/resource_keycloak_openid_client_authorization_js_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_js_policy_test.go @@ -92,6 +92,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_js_policy test { diff --git a/provider/resource_keycloak_openid_client_authorization_permission_test.go b/provider/resource_keycloak_openid_client_authorization_permission_test.go index cf2bd1121..6e997b1f5 100644 --- a/provider/resource_keycloak_openid_client_authorization_permission_test.go +++ b/provider/resource_keycloak_openid_client_authorization_permission_test.go @@ -175,6 +175,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data keycloak_openid_client_authorization_policy default { @@ -224,6 +228,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data keycloak_openid_client_authorization_policy default { diff --git a/provider/resource_keycloak_openid_client_authorization_resource_test.go b/provider/resource_keycloak_openid_client_authorization_resource_test.go index b9f3db0e4..a608381bb 100644 --- a/provider/resource_keycloak_openid_client_authorization_resource_test.go +++ b/provider/resource_keycloak_openid_client_authorization_resource_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenidClientAuthorizationResource_basic(t *testing.T) { @@ -176,6 +177,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_authorization_resource test { @@ -204,6 +209,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_authorization_resource test { diff --git a/provider/resource_keycloak_openid_client_authorization_role_policy_test.go b/provider/resource_keycloak_openid_client_authorization_role_policy_test.go index f15e6f95a..2960cb562 100644 --- a/provider/resource_keycloak_openid_client_authorization_role_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_role_policy_test.go @@ -117,6 +117,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "test" { @@ -172,6 +176,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } %s diff --git a/provider/resource_keycloak_openid_client_authorization_scope_test.go b/provider/resource_keycloak_openid_client_authorization_scope_test.go index cc2ae2581..92175c618 100644 --- a/provider/resource_keycloak_openid_client_authorization_scope_test.go +++ b/provider/resource_keycloak_openid_client_authorization_scope_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenidClientAuthorizationScope_basic(t *testing.T) { @@ -171,6 +172,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_authorization_scope test { @@ -195,6 +200,10 @@ resource keycloak_openid_client test { authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_authorization_scope test { diff --git a/provider/resource_keycloak_openid_client_authorization_time_policy_test.go b/provider/resource_keycloak_openid_client_authorization_time_policy_test.go index e30f2fb5d..c11df85bd 100644 --- a/provider/resource_keycloak_openid_client_authorization_time_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_time_policy_test.go @@ -94,6 +94,10 @@ func testResourceKeycloakOpenidClientAuthorizationTimePolicy_basic(policyName, c authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_time_policy test { diff --git a/provider/resource_keycloak_openid_client_authorization_user_policy_test.go b/provider/resource_keycloak_openid_client_authorization_user_policy_test.go index 8394c83bf..2a3e2218b 100644 --- a/provider/resource_keycloak_openid_client_authorization_user_policy_test.go +++ b/provider/resource_keycloak_openid_client_authorization_user_policy_test.go @@ -94,6 +94,10 @@ func testResourceKeycloakOpenidClientAuthorizationUserPolicy_basic(clientId, use authorization { policy_enforcement_mode = "ENFORCING" } + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_user test { diff --git a/provider/resource_keycloak_openid_client_default_scopes_test.go b/provider/resource_keycloak_openid_client_default_scopes_test.go index ad3e89106..f773baed9 100644 --- a/provider/resource_keycloak_openid_client_default_scopes_test.go +++ b/provider/resource_keycloak_openid_client_default_scopes_test.go @@ -2,13 +2,14 @@ package provider import ( "fmt" + "regexp" + "strings" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "strings" - "testing" ) // All openid clients in Keycloak will automatically have these scopes listed as "default client scopes". @@ -399,6 +400,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -432,6 +438,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -453,6 +463,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -509,6 +523,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -563,6 +582,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } %s diff --git a/provider/resource_keycloak_openid_client_optional_scopes_test.go b/provider/resource_keycloak_openid_client_optional_scopes_test.go index b45b2f86c..b802004e2 100644 --- a/provider/resource_keycloak_openid_client_optional_scopes_test.go +++ b/provider/resource_keycloak_openid_client_optional_scopes_test.go @@ -2,13 +2,14 @@ package provider import ( "fmt" + "regexp" + "strings" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "strings" - "testing" ) // All openid clients in Keycloak will automatically have these scopes listed as "optional client scopes". @@ -407,6 +408,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -438,6 +444,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -471,6 +482,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -492,6 +508,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -575,6 +596,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -606,6 +632,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client_scope" "client_scope" { @@ -660,6 +691,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } %s diff --git a/provider/resource_keycloak_openid_client_permissions_test.go b/provider/resource_keycloak_openid_client_permissions_test.go index d3bf7c38a..3ffd27391 100644 --- a/provider/resource_keycloak_openid_client_permissions_test.go +++ b/provider/resource_keycloak_openid_client_permissions_test.go @@ -133,6 +133,10 @@ resource "keycloak_openid_client" "openid_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" +} } data "keycloak_openid_client" "realm_management" { @@ -202,6 +206,10 @@ resource "keycloak_openid_client" "openid_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" +} } data "keycloak_openid_client" "realm_management" { diff --git a/provider/resource_keycloak_openid_client_service_account_realm_role_test.go b/provider/resource_keycloak_openid_client_service_account_realm_role_test.go index 5d1fbd113..c0823ae15 100644 --- a/provider/resource_keycloak_openid_client_service_account_realm_role_test.go +++ b/provider/resource_keycloak_openid_client_service_account_realm_role_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "strings" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "strings" - "testing" ) func TestAccKeycloakOpenidClientServiceAccountRealmRole_basic(t *testing.T) { @@ -150,6 +151,10 @@ resource keycloak_openid_client test { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" service_accounts_enabled = true + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource keycloak_openid_client_service_account_realm_role test { diff --git a/provider/resource_keycloak_openid_client_service_account_role_test.go b/provider/resource_keycloak_openid_client_service_account_role_test.go index 158e5a685..5500f29e4 100644 --- a/provider/resource_keycloak_openid_client_service_account_role_test.go +++ b/provider/resource_keycloak_openid_client_service_account_role_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "strings" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "strings" - "testing" ) func TestAccKeycloakOpenidClientServiceAccountRole_basic(t *testing.T) { @@ -181,6 +182,10 @@ resource "keycloak_openid_client" "test" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" service_accounts_enabled = true + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } data "keycloak_openid_client" "broker" { @@ -207,6 +212,10 @@ resource "keycloak_openid_client" "bearer" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "BEARER-ONLY" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "bearer_role" { @@ -221,6 +230,10 @@ resource "keycloak_openid_client" "consumer" { access_type = "CONFIDENTIAL" service_accounts_enabled = false + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" +} } `, testAccRealm.Realm, bearerClientId, consumerClientId) } @@ -235,6 +248,10 @@ resource "keycloak_openid_client" "bearer" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "BEARER-ONLY" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "bearer_role" { @@ -249,6 +266,10 @@ resource "keycloak_openid_client" "consumer" { access_type = "CONFIDENTIAL" service_accounts_enabled = true + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" +} } resource "keycloak_openid_client_service_account_role" "consumer_service_account_role" { diff --git a/provider/resource_keycloak_openid_client_test.go b/provider/resource_keycloak_openid_client_test.go index 45c720ac6..aaa2e6591 100644 --- a/provider/resource_keycloak_openid_client_test.go +++ b/provider/resource_keycloak_openid_client_test.go @@ -512,6 +512,23 @@ func TestAccKeycloakOpenidClient_useRefreshTokens(t *testing.T) { }) } +func TestAccKeycloakOpenidClient_extraConfig(t *testing.T) { + t.Parallel() + clientId := acctest.RandomWithPrefix("tf-acc") + + resource.Test(t, resource.TestCase{ + ProviderFactories: testAccProviderFactories, + PreCheck: func() { testAccPreCheck(t) }, + CheckDestroy: testAccCheckKeycloakOpenidClientDestroy(), + Steps: []resource.TestStep{ + { + Config: testKeycloakOpenidClient_extraConfig(clientId, "key1", "value1"), + Check: testAccCheckKeycloakOpenidClientExtraConfig("keycloak_openid_client.client", "key1", "value1"), + }, + }, + }) +} + func testAccCheckKeycloakOpenidClientExistsWithCorrectProtocol(resourceName string) resource.TestCheckFunc { return func(s *terraform.State) error { client, err := getOpenidClientFromState(s, resourceName) @@ -764,6 +781,21 @@ func testAccCheckKeycloakOpenidClientUseRefreshTokens(resourceName string, useRe } } +func testAccCheckKeycloakOpenidClientExtraConfig(resourceName string, key string, value string) resource.TestCheckFunc { + return func(s *terraform.State) error { + client, err := getOpenidClientFromState(s, resourceName) + if err != nil { + return err + } + + if client.Attributes.ExtraConfig[key] != value { + return fmt.Errorf("expected openid client to have attribute %v set to %v, but got %v", key, value, client.Attributes.ExtraConfig[key]) + } + + return nil + } +} + func getOpenidClientFromState(s *terraform.State, resourceName string) (*keycloak.OpenidClient, error) { rs, ok := s.RootModule().Resources[resourceName] if !ok { @@ -791,6 +823,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId) } @@ -806,6 +842,10 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" access_token_lifespan = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, accessTokenLifespan) } @@ -827,6 +867,11 @@ resource "keycloak_openid_client" "client" { client_offline_session_max_lifespan = "%s" client_session_idle_timeout = "%s" client_session_max_lifespan = "%s" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, offlineSessionIdleTimeout, offlineSessionMaxLifespan, sessionIdleTimeout, sessionMaxLifespan) } @@ -841,6 +886,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, accessType) } @@ -857,6 +906,10 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" pkce_code_challenge_method = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, pkceChallengeMethod) } @@ -873,6 +926,10 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" exclude_session_state_from_auth_response = %t + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, excludeSessionStateFromAuthResponse) } @@ -888,6 +945,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId) } @@ -904,6 +965,10 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" pkce_code_challenge_method = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, pkceChallengeMethod) } @@ -922,6 +987,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm_1.id access_type = "BEARER-ONLY" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, testAccRealmTwo.Realm, clientId) } @@ -940,6 +1009,10 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm_2.id access_type = "BEARER-ONLY" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, testAccRealmTwo.Realm, clientId) } @@ -970,6 +1043,10 @@ resource "keycloak_openid_client" "client" { admin_url = "%s" base_url = "%s" root_url = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, openidClient.ClientId, openidClient.Name, openidClient.Enabled, openidClient.Description, openidClient.ClientSecret, openidClient.StandardFlowEnabled, openidClient.ImplicitFlowEnabled, openidClient.DirectAccessGrantsEnabled, openidClient.ServiceAccountsEnabled, arrayOfStringsForTerraformResource(openidClient.ValidRedirectUris), arrayOfStringsForTerraformResource(openidClient.WebOrigins), openidClient.AdminUrl, openidClient.BaseUrl, *openidClient.RootUrl) } @@ -985,6 +1062,10 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" client_secret = "%s" + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, clientSecret) } @@ -1002,6 +1083,10 @@ resource "keycloak_openid_client" "client" { standard_flow_enabled = %t implicit_flow_enabled = %t + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, accessType, standardFlowEnabled, implicitFlowEnabled) } @@ -1018,6 +1103,11 @@ resource "keycloak_openid_client" "client" { access_type = "PUBLIC" service_accounts_enabled = true + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId) } @@ -1037,6 +1127,11 @@ resource "keycloak_openid_client" "client" { implicit_flow_enabled = %t direct_access_grants_enabled = %t service_accounts_enabled = %t + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, standardFlowEnabled, implicitFlowEnabled, directAccessGrantsEnabled, serviceAccountsEnabled) } @@ -1061,6 +1156,11 @@ resource "keycloak_openid_client" "client" { browser_id = "${keycloak_authentication_flow.another_flow.id}" direct_grant_id = "${keycloak_authentication_flow.another_flow.id}" } + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId) } @@ -1081,6 +1181,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId) } @@ -1096,6 +1201,11 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "PUBLIC" login_theme = "%s" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, loginTheme) } @@ -1112,6 +1222,31 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" use_refresh_tokens = %t + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } `, testAccRealm.Realm, clientId, useRefreshTokens) } + +func testKeycloakOpenidClient_extraConfig(clientId string, key string, value string) string { + + return fmt.Sprintf(` +data "keycloak_realm" "realm" { + realm = "%s" +} + +resource "keycloak_openid_client" "client" { + client_id = "%s" + realm_id = data.keycloak_realm.realm.id + access_type = "CONFIDENTIAL" + extra_config = { + "%s" = "%s" + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } +} + `, testAccRealm.Realm, clientId, key, value) +} diff --git a/provider/resource_keycloak_openid_full_name_protocol_mapper_test.go b/provider/resource_keycloak_openid_full_name_protocol_mapper_test.go index 1ecd986d3..cfe6f11ba 100644 --- a/provider/resource_keycloak_openid_full_name_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_full_name_protocol_mapper_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenIdFullNameProtocolMapper_basicClient(t *testing.T) { @@ -329,6 +330,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper_client" { @@ -367,6 +373,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper_client" { @@ -398,6 +409,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { @@ -422,6 +438,11 @@ resource "keycloak_openid_client" "openid_client_one" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "openid_client_two" { @@ -429,6 +450,11 @@ resource "keycloak_openid_client" "openid_client_two" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper_client" { diff --git a/provider/resource_keycloak_openid_group_membership_protocol_mapper_test.go b/provider/resource_keycloak_openid_group_membership_protocol_mapper_test.go index bad2e2486..022404cf4 100644 --- a/provider/resource_keycloak_openid_group_membership_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_group_membership_protocol_mapper_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenIdGroupMembershipProtocolMapper_basicClient(t *testing.T) { @@ -303,6 +304,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { @@ -343,6 +349,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { @@ -376,6 +387,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { @@ -402,6 +418,11 @@ resource "keycloak_openid_client" "openid_client_one" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "openid_client_two" { @@ -409,6 +430,11 @@ resource "keycloak_openid_client" "openid_client_two" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper_client" { diff --git a/provider/resource_keycloak_openid_hardcoded_claim_protocol_mapper_test.go b/provider/resource_keycloak_openid_hardcoded_claim_protocol_mapper_test.go index 163ad457f..669dadf45 100644 --- a/provider/resource_keycloak_openid_hardcoded_claim_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_hardcoded_claim_protocol_mapper_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakOpenIdHardcodedClaimProtocolMapper_basicClient(t *testing.T) { @@ -313,6 +314,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper_client" { @@ -359,6 +365,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper_client" { @@ -398,6 +409,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { @@ -421,6 +437,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "openid-client" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper_validation" { diff --git a/provider/resource_keycloak_openid_hardcoded_role_protocol_mapper_test.go b/provider/resource_keycloak_openid_hardcoded_role_protocol_mapper_test.go index 7e7034bee..54de913b4 100644 --- a/provider/resource_keycloak_openid_hardcoded_role_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_hardcoded_role_protocol_mapper_test.go @@ -2,11 +2,12 @@ package provider import ( "fmt" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "testing" ) func TestAccKeycloakOpenIdHardcodedRoleProtocolMapper_basicRealmRole_client(t *testing.T) { @@ -245,6 +246,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper_client" { @@ -295,6 +301,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper_client" { @@ -340,6 +351,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper_client" { @@ -371,6 +387,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper_client" { @@ -392,6 +413,11 @@ resource "keycloak_openid_client" "openid_client_for_role" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "role" { @@ -405,6 +431,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper_client" { diff --git a/provider/resource_keycloak_openid_script_protocol_mapper_test.go b/provider/resource_keycloak_openid_script_protocol_mapper_test.go index 2f4aa9e0a..275cbf7f6 100644 --- a/provider/resource_keycloak_openid_script_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_script_protocol_mapper_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakOpenIdScriptProtocolMapper_basicClient(t *testing.T) { @@ -295,6 +296,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_script_protocol_mapper" "script_mapper_client" { @@ -337,6 +343,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_script_protocol_mapper" "script_mapper_client" { @@ -372,6 +383,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_script_protocol_mapper" "script_mapper" { diff --git a/provider/resource_keycloak_openid_user_attribute_protocol_mapper_test.go b/provider/resource_keycloak_openid_user_attribute_protocol_mapper_test.go index 364b2b821..e3c676b2b 100644 --- a/provider/resource_keycloak_openid_user_attribute_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_user_attribute_protocol_mapper_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakOpenIdUserAttributeProtocolMapper_basicClient(t *testing.T) { @@ -283,6 +284,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper_client" { @@ -325,6 +331,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper_client" { @@ -360,6 +371,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { diff --git a/provider/resource_keycloak_openid_user_client_role_protocol_mapper_test.go b/provider/resource_keycloak_openid_user_client_role_protocol_mapper_test.go index 001de58b5..de192126c 100644 --- a/provider/resource_keycloak_openid_user_client_role_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_user_client_role_protocol_mapper_test.go @@ -357,6 +357,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper_client" { name = "%s" @@ -394,6 +399,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper" { name = "%s" @@ -413,6 +423,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper_client" { name = "%s" @@ -443,6 +458,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "openid-client" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper_validation" { name = "%s" @@ -464,12 +484,22 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "openid_client_assigned" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper_validation" { @@ -494,12 +524,22 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "openid_client_assigned" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper_validation" { diff --git a/provider/resource_keycloak_openid_user_property_protocol_mapper_test.go b/provider/resource_keycloak_openid_user_property_protocol_mapper_test.go index a8b72cfc6..5abc56058 100644 --- a/provider/resource_keycloak_openid_user_property_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_user_property_protocol_mapper_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakOpenIdUserPropertyProtocolMapper_basicClient(t *testing.T) { @@ -308,6 +309,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper_client" { @@ -350,6 +356,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper_client" { @@ -385,6 +396,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { diff --git a/provider/resource_keycloak_openid_user_realm_role_protocol_mapper_test.go b/provider/resource_keycloak_openid_user_realm_role_protocol_mapper_test.go index 8595cf2d4..5d02a3c94 100644 --- a/provider/resource_keycloak_openid_user_realm_role_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_user_realm_role_protocol_mapper_test.go @@ -310,6 +310,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper_client" { @@ -354,6 +359,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { @@ -377,6 +387,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper_client" { @@ -414,6 +429,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "openid-client" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper_validation" { diff --git a/provider/resource_keycloak_openid_user_session_note_protocol_mapper_test.go b/provider/resource_keycloak_openid_user_session_note_protocol_mapper_test.go index 23d94aa3a..f48a562df 100644 --- a/provider/resource_keycloak_openid_user_session_note_protocol_mapper_test.go +++ b/provider/resource_keycloak_openid_user_session_note_protocol_mapper_test.go @@ -335,6 +335,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper_client" { name = "%s" @@ -374,6 +379,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { name = "%s" @@ -393,6 +403,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { name = "%s" @@ -413,6 +428,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "%s" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper_client" { name = "%s" @@ -445,6 +465,11 @@ resource "keycloak_openid_client" "openid_client" { realm_id = data.keycloak_realm.realm.id client_id = "openid-client" access_type = "BEARER-ONLY" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper_validation" { name = "%s" diff --git a/provider/resource_keycloak_role_test.go b/provider/resource_keycloak_role_test.go index 5b6abd99a..e00ab2471 100644 --- a/provider/resource_keycloak_role_test.go +++ b/provider/resource_keycloak_role_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "strings" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "strings" - "testing" ) func TestAccKeycloakRole_basicRealm(t *testing.T) { @@ -460,6 +461,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "role" { @@ -499,6 +505,11 @@ resource "keycloak_openid_client" "client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "role" { @@ -525,12 +536,22 @@ resource "keycloak_openid_client" "client_one" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_openid_client" "client_two" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_role" "role_1" { diff --git a/provider/resource_keycloak_user_roles_test.go b/provider/resource_keycloak_user_roles_test.go index e2f955d5f..0163a4d72 100644 --- a/provider/resource_keycloak_user_roles_test.go +++ b/provider/resource_keycloak_user_roles_test.go @@ -2,12 +2,13 @@ package provider import ( "fmt" + "regexp" + "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/mrparkers/terraform-provider-keycloak/keycloak" - "regexp" - "testing" ) func TestAccKeycloakUserRoles_basic(t *testing.T) { @@ -343,6 +344,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -408,6 +414,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -451,6 +462,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { @@ -519,6 +535,11 @@ resource "keycloak_openid_client" "openid_client" { client_id = "%s" realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_saml_client" "saml_client" { diff --git a/provider/resource_keycloak_user_test.go b/provider/resource_keycloak_user_test.go index 7c26e3c88..bd13c7277 100644 --- a/provider/resource_keycloak_user_test.go +++ b/provider/resource_keycloak_user_test.go @@ -2,10 +2,6 @@ package provider import ( "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "github.com/mrparkers/terraform-provider-keycloak/keycloak" "io/ioutil" "net/http" "net/url" @@ -13,6 +9,11 @@ import ( "regexp" "strings" "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/mrparkers/terraform-provider-keycloak/keycloak" ) func TestAccKeycloakUser_basic(t *testing.T) { @@ -438,6 +439,11 @@ resource "keycloak_openid_client" "client" { access_type = "PUBLIC" direct_access_grants_enabled = true + + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_user" "user" { @@ -486,6 +492,10 @@ resource "keycloak_openid_client" "destination_client" { valid_redirect_uris = [ "http://localhost:8080/*", ] + extra_config = { + "backchannel.logout.revoke.offline.tokens" = "false" + "backchannel.logout.session.required" = "true" + } } resource "keycloak_user" "source_user" {